Link List

Sponsored by..

Friday, 3 May 2013

Something evil on 173.255.200.91

173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit [see URLquery and VirusTotal reports). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server.

I can see the following domains on the server, ones flagged by Google for malware are highlighted. I would recommend blocking all domains on this server however, or simply block the IP address.

The malicious domains appear to be registered to the same person, but as the email address seems to bear no relation to the person's name then they may well be fake:owner-name: Hans Funfellowner-address: Mohrenstrasse 55owner-city: Berlinowner-state: DEowner-country: DEowner-postcode: 10117owner-telephone: +49.89789200owner-fax: owner-email: jowiams779@gmail.com

A quick bit of Googling came up with exactly zero people called "Hans Funfell" (of course if you do it now there will be a match..)